WhatsApp: should we choose security over privacy? And is there a choice?

by Helen Davenport

May 09, 2017

WhatsApp: should we choose security over privacy? And is there a choice?

Helen Davenport discusses whether the government should interfere in issues such as WhatsApp and encrypted messages.

Helen Davenport, director, Gowling WLG

In the aftermath of the Westminster terror attack last month, it emerged that the attacker, Khalid Mahsood, had used the secure messaging app WhatsApp to send messages immediately before embarking on the 82-second attack, which ultimately left four people dead and 50 injured. Speaking in the days afterwards, Home Secretary Amber Rudd called for tech companies to co-operate more with law enforcement agencies and to stop offering "a secret place for terrorists to communicate with each other". That has sparked concerns in privacy circles that there could be a reopening of the debate on the extent of government surveillance under the Investigatory Powers Act – the so-called "Snooper's Charter".

The news that terrorists like to use private and secure messaging platforms is hardly surprising, nor does it mark them out from the majority of the population. WhatsApp boasts more than one billion users in 180 countries. Whilst its primary draw is undoubtedly the simple and convenient user experience, privacy and security are key parts of its service offering. Messages and calls placed through WhatsApp and similar apps are secured with end-to-end encryption, which in theory means that no third party (including the platform provider) can read or listen to them.

That claim saw WhatsApp in the headlines earlier this year when it emerged that there was a vulnerability in the app which could theoretically allow the interception of users' messages, leading to concerns that the vulnerability could be exploited by intelligence services.

At first glance, these latest calls from government suggest there is a further desire to erode privacy by attacking encryption. In fact, under the Investigative Powers Act introduced last year, courts can already compel communications service providers to remove encryption from communications in certain circumstances, and subject to certain safeguards. In some cases such decryption may be relatively straightforward. However, where a provider's whole platform is predicated on true end-to-end encryption, decrypting individual messages after the event is not an option – government would need to put an end to such end-to-end encryption as a whole. Given privacy and security is such a key selling point, tech companies are reluctant to be seen voluntarily to allow government to interfere with their customers' privacy, and so it seems the UK government is reluctant to put its existing powers to the test on this tricky subject with a high profile opponent.

Of course, quite aside from whether government can interfere with encryption, there is the question whether it should. Encryption serves valuable legitimate purposes and supports key economic activity by underpinning communications and banking. Seeking to force providers to provide backdoors potentially undermines the security of legitimate applications, as a backdoor for intelligence services is equally a vulnerability capable of being exploited by hackers and criminals. Likewise, if mainstream messaging platforms are opened up in this way, those who want to remain undetected will simply be driven to darker platforms. Attacking encrypted apps therefore risks being a double-edged sword; it also appears likely to be ineffective.

However, it seems this is not lost on government. Despite concerns from the privacy camp, in her interview with Andrew Marr, Rudd said government was not telling firms to "open up", but was instead seeking engagement when there is a terrorist situation. Reports of a hastily convened meeting between the Home Secretary and executives from WhatsApp owner Facebook, Twitter, Google and Microsoft the week after the Westminster attacks, suggest that talks focused not on encryption, but instead on identifying and removing (but not necessarily preventing) terrorist propaganda from social media platforms to ensure terrorists "do not have a voice online".

Focusing on cause rather than effect in this way seems likely to be a more effective, as well as less intrusive, strategy. With the general election announced in April and Brexit expected to take up significant bandwidth for the foreseeable future, it seems unlikely that any government will want to engage in anything more than sabre-rattling on encryption. In the war on terror, the government is picking its battles carefully.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.